The Privacy Act Review Report – What Businesses Need To Do Now To Prepare For Privacy Compliance Reform

 

Change is coming

On the 16th February 2023, the Attorney-General’s Department released the long-awaited report on its Review (Review) of the Privacy Act 1988 (Cth) (Privacy Act).

Just shy of 320 pages, and incorporating no less than 116 separate proposals, the Privacy Act Review Report (Report) heralds what is likely to be a significant change in the privacy compliance landscape in Australia.

In fact, some commentators have even compared it to another seismic shift in data protection in this country- the introduction of the first ‘National Privacy Principles’ (NPPs), as the private sector principles were originally known. Over two decades ago, we witnessed the dawn of the commencement of the amendments to the Privacy Act, the NPPs, to expand its coverage to the private sector. It may seem odd to recall, in this era of near constant data breach headlines, but there was a time in Australia where there was no specific privacy law covering the private sector!

The current reforms proposed in the Report are unlikely to achieve change at that level of magnitude. However, if (or perhaps, when) many of the proposals become law, the impact on business will be substantial. It is critical for businesses (particularly for rapidly growing SMEs that may yet to have mature compliance frameworks) to consider what they need to put in place now to absorb this impact, and position for growth in the new era of data protection.

 

Practical implications for business- top 5 takeaways of the Report

One of the positive aspects of a number of the reforms (from a pragmatic perspective) is that privacy compliance requirements may be simplified, or clarified- allowing business to streamline efforts, and reducing regulatory confusion for the Australian private sector.

We’ve highlighted some of the key proposals in the Report which we predict will have the most significant practical implications for business. Here are our top 5 takeaways to help businesses prepare for the changes ahead.

 

1. Removal of the small business exemption

Generally, the Australian Privacy Principles (APPs) in the Privacy Act apply to ‘APP Entities’. The APPs do not apply to private sector businesses that have a turnover of AUD3 million or less, unless the business is a health service provider; a contracted service provider to a Commonwealth contract; or ‘trades in personal information’. Proposal 6 in the Report seeks to plug that gap in coverage somewhat, by removing the small business exemption. While this may mean increased obligations for the small business sector, the simplification in compliance and contract negotiations that will ensue could mean less ambiguity across the corporate sector in general.

One of the main impacts of the current small business exemption that we often see in advising clients, is that it leaves businesses that are APP Entities in a difficult position when contracting small business third parties to handle their customer’s personal information. The service agreements for these types of arrangements may have inadequate (or completely absent) privacy clauses. This means that if the small business third-party service provider does not protect the personal information (or worse, suffers a data breach), the contracting business has little to no mechanism under the contract (or under legislation) to protect itself and its customers.

The Report flags that further consultation will be undertaken regarding this proposal, meaning that actual removal of the small business exemption may be some time away. In the interim, pending removal of the exemption, Proposal 22 introduces the concept of an ‘APP Entity Processor’ to be included in the Privacy Act. Although also subject to further consultation, this proposal may helpfully extend to third party data handling arrangements and provide greater protection for businesses (large and small).

 

2. Proposals to align with GDPR & standardise Privacy Policies & Privacy Collection Notices

It’s long been argued that Privacy Policies have become almost impenetrable- difficult for customers to read and understand, and challenging for businesses to draft, maintain and update. Part of the reason for this is the different requirements (and terminology) that apply depending on the jurisdictions that the business may be operating in.

For example, there are a number of specific ‘rights’ under the European Union’s strict data protection law, the General Data Protection Regulation (GDPR), all of which generally need to be addressed in the Privacy Policy. In Australia, the approach to protecting individual’s personal information under the Privacy Act is fundamentally different. Instead of bestowing rights on individuals, the Privacy Act imposes obligations on organisations and agencies. This means that the language and approach in Privacy Policies is difficult to adapt across jurisdictions (not to mention, the terminology used in different privacy law regions is quite different).

The Report proposes (Proposal 18) the introduction of some ‘Rights of the Individual’ to the Privacy Act that align with those under the GDPR (e.g. right to objection; right to erasure etc.). The result of this reform may be increased clarity- both for businesses looking to understand their obligations and customers wanting to know how they can protect their own data.

There is also a further proposal (Proposal 10) to develop standardised content for Privacy Policies and Privacy Collection Notices. As noted by many submitters to the Review, this should simplify compliance and assist individuals’ understanding of the documents. If implemented successfully, this measure may help businesses of all sizes to:

• streamline their compliance efforts;
• pay less in legal drafting fees; and
• provide greater consistency for their customers.

 

3. Narrowing of the employee records exemption

Currently, an APP Entity that is or was an employer is exempt from the operation of the Privacy Act for an act or practice directly related to its employment relationship with an individual, and an employee record it holds relating to the individual. This is referred to as the ‘employee records exemption’.

Although the Report stops short of recommending removal of the employee records exemption, it does propose (Proposal 7.1) extending a number of the privacy protections in the Privacy Act to private sector employees. In particular, under the proposed reforms, private sector employers may be required to provide employees with greater transparency regarding collection and use of their information, and to protect that information from unauthorised access or interference. In addition, the Report proposes that employees and the Information Commissioner be notified in the event of a data breach involving employee personal information which is likely to result in serious harm.

This change may require a cultural shift for the business’ own culture setter- the ‘People & Culture’ (or HR) team. For decades, the existence of the employee records exemption in the Privacy Act, has meant that a large proportion of the personal information handled by HR business units may not have been subject to the same compliance requirements as the rest of the personal information held by a company. There have been numerous high profile data breaches involving recruitment platform/service providers contracted by HR departments, which have exposed this approach as the chink in the business’ privacy compliance and data breach defence armour. That’s because, while the personal information of employees may not have been subject to data protection laws- the personal information of unsuccessful job candidates and referees often was.

Hopefully, the proposed reforms will introduce consistency of compliance approaches across business units and team, and a more cohesive and simplified privacy management approach. At the very least, it will be less confusing which personal information held by the business is at issue in the unfortunate event of a data breach.

 

4. Requirement for businesses to conduct Privacy Impact Assessments (PIAs))

The Report proposes (Proposal 13) that APP Entities be required to undertake PIAs for any ‘high risk activity’. Specifically, mandatory PIAs would apply where an APP Entity is considering an activity ‘likely to have a significant impact on the privacy of individuals’. While PIAs are already commonly used tools in the public sector, there may be a degree of upskilling required across the private sector to comply with this requirement should it become law. In particular, businesses will need to understand how to conduct a PIA by considering and assessing the potential impacts of projects and activities on privacy,  and identifying any appropriate measures to mitigate those risks.

Understanding what a PIA is, and how to work through the PIA process, becomes even more important in the context of the further element of the proposal. Specifically, the Report proposes that APP Entities be required to produce the PIA to the privacy regulator, the Office of the Australian Information Commissioner (OAIC) on request.

 

5. Finally, a word on penalties

While technically not part of the Report itself, it is important to consider all of the proposed reforms in the context of the actual reform that took place in the wake of the Optus and Medicare data breaches last year. That is, the substantial increase in penalties under the Privacy Act.

As of November of 2022, the maximum penalties for a serious or repeated breach of privacy increased (from AUD$2.22M) to not more than the greater of:

 

• $AUD50M;
• 3 x the value of any benefit of the misuse of the information; OR
• (if the benefit obtained cannot be determined) 30% of a company’s ‘adjusted turnover’ (as defined) in the relevant period.

 

This potential impact to the bottom line should be even greater incentive for businesses to ensure that they are ready for reform.

 

Prepare now with ComPotency

At PB, we are specialists in regulatory compliance, and data protection and privacy in particular. We know first-hand that operationalising privacy compliance is critical to a business’ ability to respond quickly to new privacy law requirements. For that reason, we’ve built our online training and compliance platform, ComPotency, designed to support businesses just like yours to empower and embed compliance.

To learn how to boost your team’s data breach resilience through 24/7 access to targeted training, core policies and procedures and other privacy compliance guidance (including PIA tools) – book a call with our PB team here to find out about how our ComPotency platform can help you to supercharge privacy compliance today.

You can also download our Free Operationalising Privacy Compliance White Paper, for more useful tips to help your business prepare for the new era in data protection.